CHFI Module 2 Exam With Complete Solutions
Latest Update
Computer forensics investigation - ANSWER Any forensic investigation which involves
computer in one way or another, the investigation is coined as Computer Forensic
Investigation. Development of technology from the last two decades is so rapid that it
made lot easier for criminals to hide information about their crimes. The advantage the
investigators have is that any type of Computer Crime results in some type of clue and
evidence stored on computer but still there are number of Cyber Crimes, which require
Computer Forensic investigation, some of them are as follows:
Unauthorized access
Property theft (misuse of information)
Forgery
Privacy breach
Computer fraud
Child pornography
While investigating computer crime, the investigator has to first find that an incident has
taken place and then he assesses its impact. Incident: Any event that is not part of the
standard operation of a service and which causes or may cause an interruption to, or a
reduction in, the quality of service. An incident threatens the security of the computer
system or network of any organization. The investigator has to verify the complaints
relating to intrusion as some of them may turn out to be hoax calls. So far as the
intrusion detection system alert is concerned, it can only indicate an attempted and
unsuccessful intrusion, or it may also be a false alarm. Thus, the investigator should
analyze the strengths and weaknesses concerning the sources and include the human
factors along with digital factors. He/she should conduct preliminary assessment in
order to search for the evidence. Thereafter, he/she should search and seize the
computer's equipment and gather evidence that one can present in the court of law or
during a corporate inquiry.
Requirements for an investigation - ANSWER Pre-investigation The investigator should,
prior to the investigation, do the following:
Create a workstation and data recovery lab
Create investigating team.
,Alliance with a local district attorney.
Review the policies and laws
Inform the decision makers and obtain authorization
Analyze the risks.
Create a computer investigation toolkit.
Define the methodology.
Build a forensic workstation - ANSWER Before building a forensic workstation,
computer forensics approach should be clearly defined. The computer forensics
workstation should have facilities and tools that can perform the following functions:
Support hardware-based local and remote network drive duplication.
Validate the image and the file's integrity.
Identify the date and time when the files have been modified, accessed, or created.
Identify the deleted files.
Support the removable media.
Isolate and Analyze Free Drive Space
Form an Investigation Team - ANSWER Following are some of the points that the
investigator should keep in mind while building an investigation team:
Keep the team as small as possible to maintain confidentiality and protect the
organization against unwanted information leaks.
Find out who the person is who would respond to an incident for effectively conducting
an internal computer investigation.
Ensure that the concerned authority grants each team member with the needed
clearances and permissions to perform assigned activities
Nominate team members and decide upon the responsibility of each team member
Hire an external investigation team comprising experts your organization lacks.
Make one team member responsible for the technical lead of the investigation
People involved in computer forensics - ANSWER People involved in computer forensics
are as follows:
, Expert witness: An expert witness provides formal opinion as testimony in the court of
law.
Evidence manager: The work of an evidence manager is to manage the evidence in such
a way that it will be admissible in the court of law.
Evidence documenter: An evidence documenter documents all the evidence and the
phases present in the investigation process
Evidence examiner/investigator: Evidence examiner/ investigator examines the
evidence acquired and sorts out the useful evidence.
Incident analyzer: An incident analyzer analyzes on the basis of occurrence.
Decision maker: A decision maker is responsible for authorization of a policy or
procedure for investigating the process.
Incident responder: An incident responder is responsible for the measure to be taken
when an incident occurs.
Photographer: A photographer takes photographs of the crime scene and the evidence
gathered.
Attorney: An attorney gives legal advice.
Review policies and laws - ANSWER Review policies and laws include the following:
Understand the laws: Before commencing with the process of investigation, it is
essential to understand the laws that would be applicable regarding the investigation
process along with the internal organization's policies.
Identify possible issues: This includes identifying possible issues which are relevant to
applicable Federal statutes, State statutes as well as local policies and laws.
Best practices: Best practices include the following:
Establish the extent of authority to search.
Identify legislation that may provide authority to investigate.
Seek the advice from a counsel when specific issues are identified to avoid mishandling
the investigation
Ensure the customer's privacy and confidentiality.
Forensics laws - ANSWER Different forensics laws are as follow:
Latest Update
Computer forensics investigation - ANSWER Any forensic investigation which involves
computer in one way or another, the investigation is coined as Computer Forensic
Investigation. Development of technology from the last two decades is so rapid that it
made lot easier for criminals to hide information about their crimes. The advantage the
investigators have is that any type of Computer Crime results in some type of clue and
evidence stored on computer but still there are number of Cyber Crimes, which require
Computer Forensic investigation, some of them are as follows:
Unauthorized access
Property theft (misuse of information)
Forgery
Privacy breach
Computer fraud
Child pornography
While investigating computer crime, the investigator has to first find that an incident has
taken place and then he assesses its impact. Incident: Any event that is not part of the
standard operation of a service and which causes or may cause an interruption to, or a
reduction in, the quality of service. An incident threatens the security of the computer
system or network of any organization. The investigator has to verify the complaints
relating to intrusion as some of them may turn out to be hoax calls. So far as the
intrusion detection system alert is concerned, it can only indicate an attempted and
unsuccessful intrusion, or it may also be a false alarm. Thus, the investigator should
analyze the strengths and weaknesses concerning the sources and include the human
factors along with digital factors. He/she should conduct preliminary assessment in
order to search for the evidence. Thereafter, he/she should search and seize the
computer's equipment and gather evidence that one can present in the court of law or
during a corporate inquiry.
Requirements for an investigation - ANSWER Pre-investigation The investigator should,
prior to the investigation, do the following:
Create a workstation and data recovery lab
Create investigating team.
,Alliance with a local district attorney.
Review the policies and laws
Inform the decision makers and obtain authorization
Analyze the risks.
Create a computer investigation toolkit.
Define the methodology.
Build a forensic workstation - ANSWER Before building a forensic workstation,
computer forensics approach should be clearly defined. The computer forensics
workstation should have facilities and tools that can perform the following functions:
Support hardware-based local and remote network drive duplication.
Validate the image and the file's integrity.
Identify the date and time when the files have been modified, accessed, or created.
Identify the deleted files.
Support the removable media.
Isolate and Analyze Free Drive Space
Form an Investigation Team - ANSWER Following are some of the points that the
investigator should keep in mind while building an investigation team:
Keep the team as small as possible to maintain confidentiality and protect the
organization against unwanted information leaks.
Find out who the person is who would respond to an incident for effectively conducting
an internal computer investigation.
Ensure that the concerned authority grants each team member with the needed
clearances and permissions to perform assigned activities
Nominate team members and decide upon the responsibility of each team member
Hire an external investigation team comprising experts your organization lacks.
Make one team member responsible for the technical lead of the investigation
People involved in computer forensics - ANSWER People involved in computer forensics
are as follows:
, Expert witness: An expert witness provides formal opinion as testimony in the court of
law.
Evidence manager: The work of an evidence manager is to manage the evidence in such
a way that it will be admissible in the court of law.
Evidence documenter: An evidence documenter documents all the evidence and the
phases present in the investigation process
Evidence examiner/investigator: Evidence examiner/ investigator examines the
evidence acquired and sorts out the useful evidence.
Incident analyzer: An incident analyzer analyzes on the basis of occurrence.
Decision maker: A decision maker is responsible for authorization of a policy or
procedure for investigating the process.
Incident responder: An incident responder is responsible for the measure to be taken
when an incident occurs.
Photographer: A photographer takes photographs of the crime scene and the evidence
gathered.
Attorney: An attorney gives legal advice.
Review policies and laws - ANSWER Review policies and laws include the following:
Understand the laws: Before commencing with the process of investigation, it is
essential to understand the laws that would be applicable regarding the investigation
process along with the internal organization's policies.
Identify possible issues: This includes identifying possible issues which are relevant to
applicable Federal statutes, State statutes as well as local policies and laws.
Best practices: Best practices include the following:
Establish the extent of authority to search.
Identify legislation that may provide authority to investigate.
Seek the advice from a counsel when specific issues are identified to avoid mishandling
the investigation
Ensure the customer's privacy and confidentiality.
Forensics laws - ANSWER Different forensics laws are as follow:
